Seaborne Freight Website — What Went Wrong?

We take a look at some critical issues to consider when deploying a website

Welcm
Welcm
Jan 4, 2019 · 4 min read
Image for post
Image for post

Anyone following the Brexit news closely in the UK will no doubt be familiar by now with Seaborne Freight — who were recently awarded a contract to run a freight service between Ramsgate and Ostend in the event of a no-deal Brexit.

Our attention at Welcm Software was drawn to the recent story about their website displaying “boilerplate” terms and conditions from what appears to be a takeaway food business.

This is embarrassing for any company (but very common, just googling for blocks of lorem ipsum text will display thousands of examples of this placeholder text on live sites).

However, more of an issue were some of the back end problems affecting the site.

We’re always interested in what technology drives popular websites, so a quick check on Wappalyzer revealed seabornefreight.com was running a Laravel installation.

Since we’re big Laravel fans, whilst doing some searching we saw some tweets by cyber security researchers @Cybercymru and @GossiTheDog on Twitter that showed they had made a few basic but fundamental mistakes in deploying their Laravel website, these were:

  • The site not had not been fully tested prior to deployment — there were some broken links, some links going to google and the contact form failed due to missing email settings.
  • The site environment settings were set to local, not production.
  • Debugging was enabled, and the domain was set incorrectly to the dev site.

As can be seen, the critical problem here is that error logs and debug information (including sensitive password data) can potentially be exposed to any visitor to the website.

Image for post
Image for post
Screenshot courtesy of @GossiTheDog

Here’s another example of the output when a contact form causes an exception to be thrown:

Image for post
Image for post

There also seems to be a wildcard redirect for any subdomain (e.g https://abc123.seabornefreight.com) that goes to api.britishonlinesupermarket.net, which naturally causes a ERR_CERT_COMMON_NAME_INVALID error. Not a huge problem but one that can and should be resolved.

Image for post
Image for post

Thankfully, due to the way Laravel projects are deployed, it’s a very quick fix to at least stop this debug information displaying (see below) and this critical issue has indeed been quickly resolved by the site owners.

Any errors when debugging is set to false will now display the following by default:

Image for post
Image for post

Much safer!

If you’re launching a Laravel website (in fact most of these apply to all websites), here’s a deployment checklist to make sure you cover off the critical issues.

Deployment Checklist

  1. Test the site on all the main browsers — at least Chrome, Firefox, IE/Edge and Safari on desktop at various resolutions and on Android and Safari mobile browsers. Check for any console errors on desktop browsers too.
  2. Check your content is accurate and as typo-free as possible — no placeholder text or boilerplate!
  3. Create a test plan for interactive features such as contact forms or login areas
  4. Check your 404 page and other error pages are accurate and professional — this is from Seaborne Freight…
Image for post
Image for post

5. Ensure all urls redirect to

6. Check your site links or code doesn’t reference anywhere and instead uses

7. Check your jQuery and JS for any commands and remove them

8. Choose between www or non-www for your URLs and configure redirects accordingly

9. Set up analytics — unusually Seaborne Freight website seems to have no analytics packages installed. We recommend using Google Tag Manager and Google Analytics on any deployment

10. Here’s the critical one: Check your file is configured correctly, here is a default file in a new Laravel installation:

APP_NAME=Laravel 
APP_ENV=local
APP_KEY=base64:ThisIsAnExampleKey/AndNotARealOne=
APP_DEBUG=true
APP_URL=http://localhost

Here’s how it should now look on the Seaborne Freight live site:

APP_NAME=Seaborne 
APP_ENV=production
APP_KEY=base64:ThisIsAnExampleKey/AndNotARealOne=
APP_DEBUG=false
APP_URL=https://seabornefreight.com

Ensure all these fields are correct for your deployment, note: and

(Do the same for Vue js if it is being used)

Also make sure your email settings and any other API keys, logins or passwords in your file are correct.

If you follow all of these steps you should be well on your way to having a robust, secure and reliable website.

Of course at Welcm Software we’re happy to help with any of the above, so feel free to get in touch to find out how we can help with your development projects.


Like this story? Please follow us on Twitter.

At Welcm we design, develop and support touch screen applications and systems.

If you have a project you would like to discuss please send an enquiry from our contact page, email us at enquiries@welcm.uk or call us on 01252 950 650.

We also make Visitor Management Easy at https://welcm.ly

Originally published at welcm.uk.

Welcm

Written by

Welcm

We design, develop and support websites, apps and custom software. Find out more at https://welcm.uk. We also make Visitor Management Easy — https://welcm.ly

Welcm

Written by

Welcm

We design, develop and support websites, apps and custom software. Find out more at https://welcm.uk. We also make Visitor Management Easy — https://welcm.ly

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store